suricata
detect-dns-query.c
Go to the documentation of this file.
1 /* Copyright (C) 2013-2018 Open Information Security Foundation
2  *
3  * You can copy, redistribute or modify this Program under the terms of
4  * the GNU General Public License version 2 as published by the Free
5  * Software Foundation.
6  *
7  * This program is distributed in the hope that it will be useful,
8  * but WITHOUT ANY WARRANTY; without even the implied warranty of
9  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
10  * GNU General Public License for more details.
11  *
12  * You should have received a copy of the GNU General Public License
13  * version 2 along with this program; if not, write to the Free Software
14  * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
15  * 02110-1301, USA.
16  */
17 
18 /**
19  * \ingroup dnslayer
20  *
21  * @{
22  */
23 
24 
25 /**
26  * \file
27  *
28  * \author Victor Julien <victor@inliniac.net>
29  */
30 
31 #include "suricata-common.h"
32 #include "threads.h"
33 #include "decode.h"
34 #include "detect.h"
35 
36 #include "detect-parse.h"
37 #include "detect-engine.h"
38 #include "detect-engine-build.h"
39 #include "detect-engine-mpm.h"
42 #include "detect-content.h"
43 #include "detect-pcre.h"
44 
45 #include "flow.h"
46 #include "flow-util.h"
47 #include "flow-var.h"
48 
49 #include "util-debug.h"
50 #include "util-unittest.h"
51 #include "util-spm.h"
52 #include "util-print.h"
53 
54 #include "stream-tcp.h"
55 
56 #include "app-layer.h"
57 #include "app-layer-parser.h"
58 #include "detect-dns-query.h"
59 
60 #include "util-profiling.h"
61 #include "util-unittest-helper.h"
62 #include "rust.h"
63 
64 static int DetectDnsQuerySetup (DetectEngineCtx *, Signature *, const char *);
65 #ifdef UNITTESTS
66 static void DetectDnsQueryRegisterTests(void);
67 #endif
68 static int g_dns_query_buffer_id = 0;
69 
71  uint32_t local_id; /**< used as index into thread inspect array */
72  void *txv;
73 };
74 
75 static InspectionBuffer *DnsQueryGetData(DetectEngineThreadCtx *det_ctx,
76  const DetectEngineTransforms *transforms,
77  Flow *f, struct DnsQueryGetDataArgs *cbdata, int list_id, bool first)
78 {
79  SCEnter();
80 
81  InspectionBuffer *buffer =
82  InspectionBufferMultipleForListGet(det_ctx, list_id, cbdata->local_id);
83  if (buffer == NULL)
84  return NULL;
85  if (!first && buffer->inspect != NULL)
86  return buffer;
87 
88  const uint8_t *data;
89  uint32_t data_len;
90  if (rs_dns_tx_get_query_name(cbdata->txv, cbdata->local_id, &data, &data_len) == 0) {
91  return NULL;
92  }
93  InspectionBufferSetupMulti(buffer, transforms, data, data_len);
94 
95  SCReturnPtr(buffer, "InspectionBuffer");
96 }
97 
98 static uint8_t DetectEngineInspectDnsQuery(DetectEngineCtx *de_ctx, DetectEngineThreadCtx *det_ctx,
99  const DetectEngineAppInspectionEngine *engine, const Signature *s, Flow *f, uint8_t flags,
100  void *alstate, void *txv, uint64_t tx_id)
101 {
102  uint32_t local_id = 0;
103 
104  const DetectEngineTransforms *transforms = NULL;
105  if (!engine->mpm) {
106  transforms = engine->v2.transforms;
107  }
108 
109  while(1) {
110  struct DnsQueryGetDataArgs cbdata = { local_id, txv, };
111  InspectionBuffer *buffer = DnsQueryGetData(det_ctx,
112  transforms, f, &cbdata, engine->sm_list, false);
113  if (buffer == NULL || buffer->inspect == NULL)
114  break;
115 
116  det_ctx->buffer_offset = 0;
117  det_ctx->discontinue_matching = 0;
118  det_ctx->inspection_recursion_counter = 0;
119 
120  const int match = DetectEngineContentInspection(de_ctx, det_ctx, s, engine->smd,
121  NULL, f,
122  (uint8_t *)buffer->inspect,
123  buffer->inspect_len,
126  if (match == 1) {
128  }
129  local_id++;
130  }
132 }
133 
134 typedef struct PrefilterMpmDnsQuery {
135  int list_id;
136  const MpmCtx *mpm_ctx;
139 
140 /** \brief DnsQuery DnsQuery Mpm prefilter callback
141  *
142  * \param det_ctx detection engine thread ctx
143  * \param p packet to inspect
144  * \param f flow to inspect
145  * \param txv tx to inspect
146  * \param pectx inspection context
147  */
148 static void PrefilterTxDnsQuery(DetectEngineThreadCtx *det_ctx,
149  const void *pectx,
150  Packet *p, Flow *f, void *txv,
151  const uint64_t idx, const uint8_t flags)
152 {
153  SCEnter();
154 
155  const PrefilterMpmDnsQuery *ctx = (const PrefilterMpmDnsQuery *)pectx;
156  const MpmCtx *mpm_ctx = ctx->mpm_ctx;
157  const int list_id = ctx->list_id;
158 
159  uint32_t local_id = 0;
160  while(1) {
161  // loop until we get a NULL
162 
163  struct DnsQueryGetDataArgs cbdata = { local_id, txv };
164  InspectionBuffer *buffer = DnsQueryGetData(det_ctx, ctx->transforms,
165  f, &cbdata, list_id, true);
166  if (buffer == NULL)
167  break;
168 
169  if (buffer->inspect_len >= mpm_ctx->minlen) {
170  (void)mpm_table[mpm_ctx->mpm_type].Search(mpm_ctx,
171  &det_ctx->mtcu, &det_ctx->pmq,
172  buffer->inspect, buffer->inspect_len);
173  PREFILTER_PROFILING_ADD_BYTES(det_ctx, buffer->inspect_len);
174  }
175 
176  local_id++;
177  }
178 }
179 
180 static void PrefilterMpmDnsQueryFree(void *ptr)
181 {
182  SCFree(ptr);
183 }
184 
185 static int PrefilterMpmDnsQueryRegister(DetectEngineCtx *de_ctx,
186  SigGroupHead *sgh, MpmCtx *mpm_ctx,
187  const DetectBufferMpmRegistery *mpm_reg, int list_id)
188 {
189  PrefilterMpmDnsQuery *pectx = SCCalloc(1, sizeof(*pectx));
190  if (pectx == NULL)
191  return -1;
192  pectx->list_id = list_id;
193  pectx->mpm_ctx = mpm_ctx;
194  pectx->transforms = &mpm_reg->transforms;
195 
196  return PrefilterAppendTxEngine(de_ctx, sgh, PrefilterTxDnsQuery,
197  mpm_reg->app_v2.alproto, mpm_reg->app_v2.tx_min_progress,
198  pectx, PrefilterMpmDnsQueryFree, mpm_reg->pname);
199 }
200 
201 /**
202  * \brief Registration function for keyword: dns_query
203  */
205 {
206  sigmatch_table[DETECT_AL_DNS_QUERY].name = "dns.query";
208  sigmatch_table[DETECT_AL_DNS_QUERY].desc = "sticky buffer to match DNS query-buffer";
209  sigmatch_table[DETECT_AL_DNS_QUERY].url = "/rules/dns-keywords.html#dns-query";
210  sigmatch_table[DETECT_AL_DNS_QUERY].Setup = DetectDnsQuerySetup;
211 #ifdef UNITTESTS
212  sigmatch_table[DETECT_AL_DNS_QUERY].RegisterTests = DetectDnsQueryRegisterTests;
213 #endif
216 
218  PrefilterMpmDnsQueryRegister, NULL,
219  ALPROTO_DNS, 1);
220 
223  DetectEngineInspectDnsQuery, NULL);
224 
226  "dns request query");
227 
228  g_dns_query_buffer_id = DetectBufferTypeGetByName("dns_query");
229 
230 #ifdef HAVE_LUA
231  /* register these generic engines from here for now */
236 
238  "dns requests");
240  "dns responses");
241 #endif
242 }
243 
244 
245 /**
246  * \brief setup the dns_query sticky buffer keyword used in the rule
247  *
248  * \param de_ctx Pointer to the Detection Engine Context
249  * \param s Pointer to the Signature to which the current keyword belongs
250  * \param str Should hold an empty string always
251  *
252  * \retval 0 On success
253  * \retval -1 On failure
254  */
255 
256 static int DetectDnsQuerySetup(DetectEngineCtx *de_ctx, Signature *s, const char *str)
257 {
258  if (DetectBufferSetActiveList(s, g_dns_query_buffer_id) < 0)
259  return -1;
261  return -1;
262  return 0;
263 }
264 
265 #ifdef UNITTESTS
266 #include "detect-isdataat.h"
267 
268 /** \test simple google.com query matching */
269 static int DetectDnsQueryTest01(void)
270 {
271  /* google.com */
272  uint8_t buf[] = { 0x10, 0x32, 0x01, 0x00, 0x00, 0x01,
273  0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
274  0x06, 0x67, 0x6F, 0x6F, 0x67, 0x6C,
275  0x65, 0x03, 0x63, 0x6F, 0x6D, 0x00,
276  0x00, 0x10, 0x00, 0x01, };
277  Flow f;
278  void *dns_state = NULL;
279  Packet *p = NULL;
280  Signature *s = NULL;
281  ThreadVars tv;
282  DetectEngineThreadCtx *det_ctx = NULL;
284 
285  memset(&tv, 0, sizeof(ThreadVars));
286  memset(&f, 0, sizeof(Flow));
287 
288  p = UTHBuildPacketReal(buf, sizeof(buf), IPPROTO_UDP,
289  "192.168.1.5", "192.168.1.1",
290  41424, 53);
291 
292  FLOW_INITIALIZE(&f);
293  f.flags |= FLOW_IPV4;
294  f.proto = IPPROTO_UDP;
296 
297  p->flow = &f;
298  p->flags |= PKT_HAS_FLOW;
300  f.alproto = ALPROTO_DNS;
301 
305  de_ctx->flags |= DE_QUIET;
306 
307  s = DetectEngineAppendSig(de_ctx, "alert dns any any -> any any "
308  "(msg:\"Test dns_query option\"; "
309  "dns_query; content:\"google\"; nocase; sid:1;)");
310  FAIL_IF_NULL(s);
311 
313  DetectEngineThreadCtxInit(&tv, (void *)de_ctx, (void *)&det_ctx);
314 
315  int r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_DNS,
316  STREAM_TOSERVER, buf, sizeof(buf));
317  if (r != 0) {
318  printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
319  FAIL;
320  }
321 
322  dns_state = f.alstate;
323  FAIL_IF_NULL(dns_state);
324 
325  /* do detect */
326  SigMatchSignatures(&tv, de_ctx, det_ctx, p);
327 
328  if (!(PacketAlertCheck(p, 1))) {
329  printf("sig 1 didn't alert, but it should have: ");
330  FAIL;
331  }
332 
333  if (alp_tctx != NULL)
335  if (det_ctx != NULL)
336  DetectEngineThreadCtxDeinit(&tv, det_ctx);
337  if (de_ctx != NULL)
339  if (de_ctx != NULL)
341 
342  FLOW_DESTROY(&f);
343  UTHFreePacket(p);
344  PASS;
345 }
346 
347 /** \test multi tx google.(com|net) query matching */
348 static int DetectDnsQueryTest02(void)
349 {
350  /* google.com */
351  uint8_t buf1[] = { 0x10, 0x32, 0x01, 0x00, 0x00, 0x01,
352  0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
353  0x06, 0x67, 0x6F, 0x6F, 0x67, 0x6C,
354  0x65, 0x03, 0x63, 0x6F, 0x6D, 0x00,
355  0x00, 0x01, 0x00, 0x01, };
356 
357  uint8_t buf2[] = { 0x10, 0x32, /* tx id */
358  0x81, 0x80, /* flags: resp, recursion desired, recursion available */
359  0x00, 0x01, /* 1 query */
360  0x00, 0x01, /* 1 answer */
361  0x00, 0x00, 0x00, 0x00, /* no auth rr, additional rr */
362  /* query record */
363  0x06, 0x67, 0x6F, 0x6F, 0x67, 0x6C, /* name */
364  0x65, 0x03, 0x63, 0x6F, 0x6D, 0x00, /* name cont */
365  0x00, 0x01, 0x00, 0x01, /* type a, class in */
366  /* answer */
367  0xc0, 0x0c, /* ref to name in query above */
368  0x00, 0x01, 0x00, 0x01, /* type a, class in */
369  0x00, 0x01, 0x40, 0xef, /* ttl */
370  0x00, 0x04, /* data len */
371  0x01, 0x02, 0x03, 0x04 }; /* addr */
372 
373  /* google.net */
374  uint8_t buf3[] = { 0x11, 0x33, 0x01, 0x00, 0x00, 0x01,
375  0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
376  0x06, 0x67, 0x6F, 0x6F, 0x67, 0x6C,
377  0x65, 0x03, 0x6E, 0x65, 0x74, 0x00,
378  0x00, 0x10, 0x00, 0x01, };
379  Flow f;
380  void *dns_state = NULL;
381  Packet *p1 = NULL, *p2 = NULL, *p3 = NULL;
382  Signature *s = NULL;
383  ThreadVars tv;
384  DetectEngineThreadCtx *det_ctx = NULL;
386 
387  memset(&tv, 0, sizeof(ThreadVars));
388  memset(&f, 0, sizeof(Flow));
389 
390  p1 = UTHBuildPacketReal(buf1, sizeof(buf1), IPPROTO_UDP,
391  "192.168.1.5", "192.168.1.1",
392  41424, 53);
393  p2 = UTHBuildPacketReal(buf1, sizeof(buf1), IPPROTO_UDP,
394  "192.168.1.5", "192.168.1.1",
395  41424, 53);
396  p3 = UTHBuildPacketReal(buf1, sizeof(buf1), IPPROTO_UDP,
397  "192.168.1.5", "192.168.1.1",
398  41424, 53);
399 
400  FLOW_INITIALIZE(&f);
401  f.flags |= FLOW_IPV4;
402  f.proto = IPPROTO_UDP;
404  f.alproto = ALPROTO_DNS;
405 
406  p1->flow = &f;
407  p1->flags |= PKT_HAS_FLOW;
409  p1->pcap_cnt = 1;
410 
411  p2->flow = &f;
412  p2->flags |= PKT_HAS_FLOW;
413  p2->flowflags |= FLOW_PKT_TOCLIENT;
414  p2->pcap_cnt = 2;
415 
416  p3->flow = &f;
417  p3->flags |= PKT_HAS_FLOW;
418  p3->flowflags |= FLOW_PKT_TOSERVER;
419  p3->pcap_cnt = 3;
420 
424  de_ctx->flags |= DE_QUIET;
425 
426  s = DetectEngineAppendSig(de_ctx, "alert dns any any -> any any "
427  "(msg:\"Test dns_query option\"; "
428  "dns_query; content:\"google.com\"; nocase; sid:1;)");
429  FAIL_IF_NULL(s);
430  s = DetectEngineAppendSig(de_ctx, "alert dns any any -> any any "
431  "(msg:\"Test dns_query option\"; "
432  "dns_query; content:\"google.net\"; nocase; sid:2;)");
433  FAIL_IF_NULL(s);
434 
436  DetectEngineThreadCtxInit(&tv, (void *)de_ctx, (void *)&det_ctx);
437 
438  int r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_DNS,
439  STREAM_TOSERVER, buf1, sizeof(buf1));
440  if (r != 0) {
441  printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
442  FAIL;
443  }
444 
445  dns_state = f.alstate;
446  FAIL_IF_NULL(dns_state);
447 
448  /* do detect */
449  SigMatchSignatures(&tv, de_ctx, det_ctx, p1);
450 
451  if (!(PacketAlertCheck(p1, 1))) {
452  printf("(p1) sig 1 didn't alert, but it should have: ");
453  FAIL;
454  }
455  if (PacketAlertCheck(p1, 2)) {
456  printf("(p1) sig 2 did alert, but it should not have: ");
457  FAIL;
458  }
459 
460  r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_DNS, STREAM_TOCLIENT,
461  buf2, sizeof(buf2));
462  if (r != 0) {
463  printf("toserver client 1 returned %" PRId32 ", expected 0: ", r);
464  FAIL;
465  }
466 
467  /* do detect */
468  SigMatchSignatures(&tv, de_ctx, det_ctx, p2);
469 
470  if (PacketAlertCheck(p2, 1)) {
471  printf("(p2) sig 1 alerted, but it should not have: ");
472  FAIL;
473  }
474  if (PacketAlertCheck(p2, 2)) {
475  printf("(p2) sig 2 alerted, but it should not have: ");
476  FAIL;
477  }
478 
479  r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_DNS, STREAM_TOSERVER,
480  buf3, sizeof(buf3));
481  if (r != 0) {
482  printf("toserver chunk 3 returned %" PRId32 ", expected 0: ", r);
483  FAIL;
484  }
485 
486  /* do detect */
487  SigMatchSignatures(&tv, de_ctx, det_ctx, p3);
488 
489  if (PacketAlertCheck(p3, 1)) {
490  printf("(p3) sig 1 alerted, but it should not have: ");
491  FAIL;
492  }
493  if (!(PacketAlertCheck(p3, 2))) {
494  printf("(p3) sig 2 didn't alert, but it should have: ");
495  FAIL;
496  }
497 
498  if (alp_tctx != NULL)
500  if (det_ctx != NULL)
501  DetectEngineThreadCtxDeinit(&tv, det_ctx);
502  if (de_ctx != NULL)
504  if (de_ctx != NULL)
506 
507  FLOW_DESTROY(&f);
508  UTHFreePacket(p1);
509  UTHFreePacket(p2);
510  UTHFreePacket(p3);
511  PASS;
512 }
513 
514 /** \test simple google.com query matching (TCP) */
515 static int DetectDnsQueryTest03(void)
516 {
517  /* google.com */
518  uint8_t buf[] = { 0x00, 28,
519  0x10, 0x32, 0x01, 0x00, 0x00, 0x01,
520  0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
521  0x06, 0x67, 0x6F, 0x6F, 0x67, 0x6C,
522  0x65, 0x03, 0x63, 0x6F, 0x6D, 0x00,
523  0x00, 0x10, 0x00, 0x01, };
524  Flow f;
525  void *dns_state = NULL;
526  Packet *p = NULL;
527  Signature *s = NULL;
528  ThreadVars tv;
529  DetectEngineThreadCtx *det_ctx = NULL;
530  TcpSession ssn;
532 
533  memset(&tv, 0, sizeof(ThreadVars));
534  memset(&f, 0, sizeof(Flow));
535  memset(&ssn, 0, sizeof(TcpSession));
536 
537  p = UTHBuildPacketReal(buf, sizeof(buf), IPPROTO_TCP,
538  "192.168.1.5", "192.168.1.1",
539  41424, 53);
540 
541  FLOW_INITIALIZE(&f);
542  f.protoctx = (void *)&ssn;
543  f.flags |= FLOW_IPV4;
544  f.proto = IPPROTO_TCP;
546 
547  p->flow = &f;
550  f.alproto = ALPROTO_DNS;
551 
552  StreamTcpInitConfig(true);
553 
557  de_ctx->flags |= DE_QUIET;
558 
559  s = DetectEngineAppendSig(de_ctx, "alert dns any any -> any any "
560  "(msg:\"Test dns_query option\"; "
561  "dns_query; content:\"google\"; nocase; sid:1;)");
562  FAIL_IF_NULL(s);
563 
565  DetectEngineThreadCtxInit(&tv, (void *)de_ctx, (void *)&det_ctx);
566 
567  int r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_DNS,
568  STREAM_TOSERVER, buf, sizeof(buf));
569  if (r != 0) {
570  printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
571  FAIL;
572  }
573 
574  dns_state = f.alstate;
575  FAIL_IF_NULL(dns_state);
576 
577  /* do detect */
578  SigMatchSignatures(&tv, de_ctx, det_ctx, p);
579 
580  if (!(PacketAlertCheck(p, 1))) {
581  printf("sig 1 didn't alert, but it should have: ");
582  FAIL;
583  }
584 
585  if (alp_tctx != NULL)
587  if (det_ctx != NULL)
588  DetectEngineThreadCtxDeinit(&tv, det_ctx);
589  if (de_ctx != NULL)
591  if (de_ctx != NULL)
593 
594  StreamTcpFreeConfig(true);
595  FLOW_DESTROY(&f);
596  UTHFreePacket(p);
597  PASS;
598 }
599 
600 
601 /** \test simple google.com query matching, pcre */
602 static int DetectDnsQueryTest04(void)
603 {
604  /* google.com */
605  uint8_t buf[] = { 0x10, 0x32, 0x01, 0x00, 0x00, 0x01,
606  0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
607  0x06, 0x67, 0x6F, 0x6F, 0x67, 0x6C,
608  0x65, 0x03, 0x63, 0x6F, 0x6D, 0x00,
609  0x00, 0x10, 0x00, 0x01, };
610  Flow f;
611  void *dns_state = NULL;
612  Packet *p = NULL;
613  Signature *s = NULL;
614  ThreadVars tv;
615  DetectEngineThreadCtx *det_ctx = NULL;
617 
618  memset(&tv, 0, sizeof(ThreadVars));
619  memset(&f, 0, sizeof(Flow));
620 
621  p = UTHBuildPacketReal(buf, sizeof(buf), IPPROTO_UDP,
622  "192.168.1.5", "192.168.1.1",
623  41424, 53);
624 
625  FLOW_INITIALIZE(&f);
626  f.flags |= FLOW_IPV4;
627  f.proto = IPPROTO_UDP;
629 
630  p->flow = &f;
631  p->flags |= PKT_HAS_FLOW;
633  f.alproto = ALPROTO_DNS;
634 
638  de_ctx->flags |= DE_QUIET;
639 
640  s = DetectEngineAppendSig(de_ctx, "alert dns any any -> any any "
641  "(msg:\"Test dns_query option\"; "
642  "dns_query; content:\"google\"; nocase; "
643  "pcre:\"/google\\.com$/i\"; sid:1;)");
644  FAIL_IF_NULL(s);
645  s = DetectEngineAppendSig(de_ctx, "alert dns any any -> any any "
646  "(msg:\"Test dns_query option\"; "
647  "dns_query; content:\"google\"; nocase; "
648  "pcre:\"/^\\.[a-z]{2,3}$/iR\"; sid:2;)");
649  FAIL_IF_NULL(s);
650 
652  DetectEngineThreadCtxInit(&tv, (void *)de_ctx, (void *)&det_ctx);
653 
654  int r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_DNS,
655  STREAM_TOSERVER, buf, sizeof(buf));
656  if (r != 0) {
657  printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
658  FAIL;
659  }
660 
661  dns_state = f.alstate;
662  FAIL_IF_NULL(dns_state);
663 
664  /* do detect */
665  SigMatchSignatures(&tv, de_ctx, det_ctx, p);
666 
667  if (!(PacketAlertCheck(p, 1))) {
668  printf("sig 1 didn't alert, but it should have: ");
669  FAIL;
670  }
671  if (!(PacketAlertCheck(p, 2))) {
672  printf("sig 2 didn't alert, but it should have: ");
673  FAIL;
674  }
675 
676  if (alp_tctx != NULL)
678  if (det_ctx != NULL)
679  DetectEngineThreadCtxDeinit(&tv, det_ctx);
680  if (de_ctx != NULL)
682  if (de_ctx != NULL)
684 
685  FLOW_DESTROY(&f);
686  UTHFreePacket(p);
687  PASS;
688 }
689 
690 /** \test multi tx google.(com|net) query matching +
691  * app layer event */
692 static int DetectDnsQueryTest05(void)
693 {
694  /* google.com */
695  uint8_t buf1[] = { 0x10, 0x32, 0x01, 0x00, 0x00, 0x01,
696  0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
697  0x06, 0x67, 0x6F, 0x6F, 0x67, 0x6C,
698  0x65, 0x03, 0x63, 0x6F, 0x6D, 0x00,
699  0x00, 0x01, 0x00, 0x01, };
700 
701  uint8_t buf2[] = { 0x10, 0x32, /* tx id */
702  0x81, 0x80|0x40, /* flags: resp, recursion desired, recursion available */
703  0x00, 0x01, /* 1 query */
704  0x00, 0x01, /* 1 answer */
705  0x00, 0x00, 0x00, 0x00, /* no auth rr, additional rr */
706  /* query record */
707  0x06, 0x67, 0x6F, 0x6F, 0x67, 0x6C, /* name */
708  0x65, 0x03, 0x63, 0x6F, 0x6D, 0x00, /* name cont */
709  0x00, 0x01, 0x00, 0x01, /* type a, class in */
710  /* answer */
711  0xc0, 0x0c, /* ref to name in query above */
712  0x00, 0x01, 0x00, 0x01, /* type a, class in */
713  0x00, 0x01, 0x40, 0xef, /* ttl */
714  0x00, 0x04, /* data len */
715  0x01, 0x02, 0x03, 0x04 }; /* addr */
716 
717  /* google.net */
718  uint8_t buf3[] = { 0x11, 0x33, 0x01, 0x00, 0x00, 0x01,
719  0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
720  0x06, 0x67, 0x6F, 0x6F, 0x67, 0x6C,
721  0x65, 0x03, 0x6E, 0x65, 0x74, 0x00,
722  0x00, 0x10, 0x00, 0x01, };
723  Flow f;
724  void *dns_state = NULL;
725  Packet *p1 = NULL, *p2 = NULL, *p3 = NULL;
726  Signature *s = NULL;
727  ThreadVars tv;
728  DetectEngineThreadCtx *det_ctx = NULL;
730 
731  memset(&tv, 0, sizeof(ThreadVars));
732  memset(&f, 0, sizeof(Flow));
733 
734  p1 = UTHBuildPacketReal(buf1, sizeof(buf1), IPPROTO_UDP,
735  "192.168.1.5", "192.168.1.1",
736  41424, 53);
737  p2 = UTHBuildPacketReal(buf2, sizeof(buf2), IPPROTO_UDP,
738  "192.168.1.5", "192.168.1.1",
739  41424, 53);
740  p3 = UTHBuildPacketReal(buf3, sizeof(buf3), IPPROTO_UDP,
741  "192.168.1.5", "192.168.1.1",
742  41424, 53);
743 
744  FLOW_INITIALIZE(&f);
745  f.flags |= FLOW_IPV4;
746  f.proto = IPPROTO_UDP;
748  f.alproto = ALPROTO_DNS;
749 
750  p1->flow = &f;
751  p1->flags |= PKT_HAS_FLOW;
753  p1->pcap_cnt = 1;
754 
755  p2->flow = &f;
756  p2->flags |= PKT_HAS_FLOW;
757  p2->flowflags |= FLOW_PKT_TOCLIENT;
758  p2->pcap_cnt = 2;
759 
760  p3->flow = &f;
761  p3->flags |= PKT_HAS_FLOW;
762  p3->flowflags |= FLOW_PKT_TOSERVER;
763  p3->pcap_cnt = 3;
764 
768  de_ctx->flags |= DE_QUIET;
769 
770  s = DetectEngineAppendSig(de_ctx, "alert dns any any -> any any "
771  "(msg:\"Test dns_query option\"; "
772  "dns_query; content:\"google.com\"; nocase; sid:1;)");
773  FAIL_IF_NULL(s);
774  s = DetectEngineAppendSig(de_ctx, "alert dns any any -> any any "
775  "(msg:\"Test dns_query option\"; "
776  "dns_query; content:\"google.net\"; nocase; sid:2;)");
777  FAIL_IF_NULL(s);
778  s = DetectEngineAppendSig(de_ctx, "alert dns any any -> any any "
779  "(msg:\"Test Z flag event\"; "
780  "app-layer-event:dns.z_flag_set; sid:3;)");
781  FAIL_IF_NULL(s);
782 
784  DetectEngineThreadCtxInit(&tv, (void *)de_ctx, (void *)&det_ctx);
785 
786  int r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_DNS,
787  STREAM_TOSERVER, buf1, sizeof(buf1));
788  if (r != 0) {
789  printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
790  FAIL;
791  }
792 
793  dns_state = f.alstate;
794  FAIL_IF_NULL(dns_state);
795 
796  /* do detect */
797  SigMatchSignatures(&tv, de_ctx, det_ctx, p1);
798 
799  if (!(PacketAlertCheck(p1, 1))) {
800  printf("(p1) sig 1 didn't alert, but it should have: ");
801  FAIL;
802  }
803  if (PacketAlertCheck(p1, 2)) {
804  printf("(p1) sig 2 did alert, but it should not have: ");
805  FAIL;
806  }
807 
808  r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_DNS, STREAM_TOCLIENT,
809  buf2, sizeof(buf2));
810  if (r != 0) {
811  printf("toserver client 1 returned %" PRId32 ", expected 0\n", r);
812  FAIL;
813  }
814 
815  /* do detect */
816  SigMatchSignatures(&tv, de_ctx, det_ctx, p2);
817 
818  if (PacketAlertCheck(p2, 1)) {
819  printf("(p2) sig 1 alerted, but it should not have: ");
820  FAIL;
821  }
822  if (PacketAlertCheck(p2, 2)) {
823  printf("(p2) sig 2 alerted, but it should not have: ");
824  FAIL;
825  }
826  if (!(PacketAlertCheck(p2, 3))) {
827  printf("(p2) sig 3 didn't alert, but it should have: ");
828  FAIL;
829  }
830 
831  r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_DNS, STREAM_TOSERVER,
832  buf3, sizeof(buf3));
833  if (r != 0) {
834  printf("toserver chunk 3 returned %" PRId32 ", expected 0: ", r);
835  FAIL;
836  }
837 
838  /* do detect */
839  SigMatchSignatures(&tv, de_ctx, det_ctx, p3);
840 
841  if (PacketAlertCheck(p3, 1)) {
842  printf("(p3) sig 1 alerted, but it should not have: ");
843  FAIL;
844  }
845  if (!(PacketAlertCheck(p3, 2))) {
846  printf("(p3) sig 2 didn't alert, but it should have: ");
847  FAIL;
848  }
849  /** \todo should not alert, bug #839
850  if (PacketAlertCheck(p3, 3)) {
851  printf("(p3) sig 3 did alert, but it should not have: ");
852  goto end;
853  }
854  */
855 
856  if (alp_tctx != NULL)
858  if (det_ctx != NULL)
859  DetectEngineThreadCtxDeinit(&tv, det_ctx);
860  if (de_ctx != NULL)
862  if (de_ctx != NULL)
864 
865  FLOW_DESTROY(&f);
866  UTHFreePacket(p1);
867  UTHFreePacket(p2);
868  UTHFreePacket(p3);
869  PASS;
870 }
871 
872 static int DetectDnsQueryIsdataatParseTest(void)
873 {
876  de_ctx->flags |= DE_QUIET;
877 
879  "alert dns any any -> any any ("
880  "dns_query; content:\"one\"; "
881  "isdataat:!4,relative; sid:1;)");
882  FAIL_IF_NULL(s);
883 
884  SigMatch *sm = s->init_data->smlists_tail[g_dns_query_buffer_id];
885  FAIL_IF_NULL(sm);
887 
892 
894  PASS;
895 }
896 
897 static void DetectDnsQueryRegisterTests(void)
898 {
899  UtRegisterTest("DetectDnsQueryTest01", DetectDnsQueryTest01);
900  UtRegisterTest("DetectDnsQueryTest02", DetectDnsQueryTest02);
901  UtRegisterTest("DetectDnsQueryTest03 -- tcp", DetectDnsQueryTest03);
902  UtRegisterTest("DetectDnsQueryTest04 -- pcre", DetectDnsQueryTest04);
903  UtRegisterTest("DetectDnsQueryTest05 -- app layer event",
904  DetectDnsQueryTest05);
905 
906  UtRegisterTest("DetectDnsQueryIsdataatParseTest",
907  DetectDnsQueryIsdataatParseTest);
908 }
909 #endif
DetectEngineAppInspectionEngine_
Definition: detect.h:390
SigTableElmt_::url
const char * url
Definition: detect.h:1248
DetectSignatureSetAppProto
int DetectSignatureSetAppProto(Signature *s, AppProto alproto)
Definition: detect-parse.c:1490
DetectEngineAppInspectionEngine_::mpm
bool mpm
Definition: detect.h:394
detect-content.h
MpmCtx_::mpm_type
uint8_t mpm_type
Definition: util-mpm.h:90
DetectEngineThreadCtx_::buffer_offset
uint32_t buffer_offset
Definition: detect.h:1062
detect-engine.h
FAIL_IF_NULL
#define FAIL_IF_NULL(expr)
Fail a test if expression evaluates to NULL.
Definition: util-unittest.h:89
SIGMATCH_INFO_STICKY_BUFFER
#define SIGMATCH_INFO_STICKY_BUFFER
Definition: detect.h:1455
SigTableElmt_::desc
const char * desc
Definition: detect.h:1247
PKT_HAS_FLOW
#define PKT_HAS_FLOW
Definition: decode.h:1169
DETECT_ENGINE_CONTENT_INSPECTION_MODE_STATE
@ DETECT_ENGINE_CONTENT_INSPECTION_MODE_STATE
Definition: detect-engine-content-inspection.h:36
flow-util.h
ALPROTO_DNS
@ ALPROTO_DNS
Definition: app-layer-protos.h:41
SigTableElmt_::name
const char * name
Definition: detect.h:1245
stream-tcp.h
SigGroupHead_
Container for matching data for a signature group.
Definition: detect.h:1403
DetectEngineTransforms
Definition: detect.h:372
UtRegisterTest
void UtRegisterTest(const char *name, int(*TestFn)(void))
Register unit test.
Definition: util-unittest.c:103
DetectIsdataatData_::flags
uint8_t flags
Definition: detect-isdataat.h:37
DnsQueryGetDataArgs::local_id
uint32_t local_id
Definition: detect-dns-query.c:71
Packet_::pcap_cnt
uint64_t pcap_cnt
Definition: decode.h:595
detect-isdataat.h
Flow_::proto
uint8_t proto
Definition: flow.h:375
DetectBufferMpmRegistery_::transforms
DetectEngineTransforms transforms
Definition: detect.h:640
PacketAlertCheck
int PacketAlertCheck(Packet *p, uint32_t sid)
Check if a certain sid alerted, this is used in the test functions.
Definition: detect-engine-alert.c:142
InspectionBuffer
Definition: detect.h:338
Packet_::flags
uint32_t flags
Definition: decode.h:469
DnsQueryGetDataArgs::txv
void * txv
Definition: detect-dns-query.c:72
threads.h
Flow_
Flow data structure.
Definition: flow.h:353
DetectEngineThreadCtx_::pmq
PrefilterRuleStore pmq
Definition: detect.h:1141
Flow_::protomap
uint8_t protomap
Definition: flow.h:455
SigTableElmt_::flags
uint16_t flags
Definition: detect.h:1239
DetectBufferMpmRegistery_::app_v2
struct DetectBufferMpmRegistery_::@87::@89 app_v2
DetectEngineCtx_
main detection engine ctx
Definition: detect.h:785
DetectEngineCtxFree
void DetectEngineCtxFree(DetectEngineCtx *)
Free a DetectEngineCtx::
Definition: detect-engine.c:2445
AppLayerParserThreadCtxFree
void AppLayerParserThreadCtxFree(AppLayerParserThreadCtx *tctx)
Destroys the app layer parser thread context obtained using AppLayerParserThreadCtxAlloc().
Definition: app-layer-parser.c:327
FLOW_PKT_TOSERVER
#define FLOW_PKT_TOSERVER
Definition: flow.h:223
rust.h
DE_QUIET
#define DE_QUIET
Definition: detect.h:288
DetectBufferMpmRegistery_
one time registration of keywords at start up
Definition: detect.h:626
mpm_default_matcher
uint8_t mpm_default_matcher
Definition: util-mpm.c:49
SigMatchSignatures
void SigMatchSignatures(ThreadVars *tv, DetectEngineCtx *de_ctx, DetectEngineThreadCtx *det_ctx, Packet *p)
wrapper for old tests
Definition: detect.c:1785
DetectIsdataatData_
Definition: detect-isdataat.h:35
Packet_::flowflags
uint8_t flowflags
Definition: decode.h:465
SIG_FLAG_TOCLIENT
#define SIG_FLAG_TOCLIENT
Definition: detect.h:231
UTHBuildPacketReal
Packet * UTHBuildPacketReal(uint8_t *payload, uint16_t payload_len, uint8_t ipproto, const char *src, const char *dst, uint16_t sport, uint16_t dport)
UTHBuildPacketReal is a function that create tcp/udp packets for unittests specifying ip and port sou...
Definition: util-unittest-helper.c:243
Flow_::protoctx
void * protoctx
Definition: flow.h:451
SigTableElmt_::Setup
int(* Setup)(DetectEngineCtx *, Signature *, const char *)
Definition: detect.h:1230
detect-pcre.h
DetectEngineAppInspectionEngine_::v2
struct DetectEngineAppInspectionEngine_::@84 v2
FLOW_IPV4
#define FLOW_IPV4
Definition: flow.h:96
detect-engine-prefilter.h
DetectEngineThreadCtx_::mtcu
MpmThreadCtx mtcu
Definition: detect.h:1139
util-unittest.h
util-unittest-helper.h
FAIL_IF_NOT
#define FAIL_IF_NOT(expr)
Fail a test if expression evaluates to false.
Definition: util-unittest.h:82
DetectBufferTypeGetByName
int DetectBufferTypeGetByName(const char *name)
Definition: detect-engine.c:1086
detect-dns-query.h
DetectEngineAppInspectionEngine_::sm_list
uint16_t sm_list
Definition: detect.h:396
SignatureInitData_::smlists_tail
struct SigMatch_ ** smlists_tail
Definition: detect.h:536
StreamTcpInitConfig
void StreamTcpInitConfig(bool)
To initialize the stream global configuration data.
Definition: stream-tcp.c:359
FLOW_INITIALIZE
#define FLOW_INITIALIZE(f)
Definition: flow-util.h:38
SIG_FLAG_TOSERVER
#define SIG_FLAG_TOSERVER
Definition: detect.h:230
decode.h
util-debug.h
PASS
#define PASS
Pass the test.
Definition: util-unittest.h:105
de_ctx
DetectEngineCtx * de_ctx
Definition: fuzz_siginit.c:17
DetectEngineThreadCtx_
Definition: detect.h:1034
alp_tctx
AppLayerParserThreadCtx * alp_tctx
Definition: fuzz_applayerparserparse.c:21
util-print.h
SCEnter
#define SCEnter(...)
Definition: util-debug.h:298
detect-engine-mpm.h
detect.h
ThreadVars_
Per thread variable structure.
Definition: threadvars.h:56
DETECT_ENGINE_INSPECT_SIG_MATCH
#define DETECT_ENGINE_INSPECT_SIG_MATCH
Definition: detect-engine-state.h:39
DetectEngineCtx_::mpm_matcher
uint8_t mpm_matcher
Definition: detect.h:835
InspectionBuffer::inspect_offset
uint64_t inspect_offset
Definition: detect.h:340
app-layer-parser.h
MpmCtx_::minlen
uint16_t minlen
Definition: util-mpm.h:99
SigMatch_::ctx
SigMatchCtx * ctx
Definition: detect.h:317
SigGroupCleanup
int SigGroupCleanup(DetectEngineCtx *de_ctx)
Definition: detect-engine-build.c:2021
util-profiling.h
FlowGetProtoMapping
uint8_t FlowGetProtoMapping(uint8_t proto)
Function to map the protocol to the defined FLOW_PROTO_* enumeration.
Definition: flow-util.c:96
Packet_
Definition: decode.h:434
detect-engine-build.h
ISDATAAT_RELATIVE
#define ISDATAAT_RELATIVE
Definition: detect-isdataat.h:27
DetectAppLayerInspectEngineRegister2
void DetectAppLayerInspectEngineRegister2(const char *name, AppProto alproto, uint32_t dir, int progress, InspectEngineFuncPtr2 Callback2, InspectionBufferGetDataPtr GetData)
register inspect engine at start up time
Definition: detect-engine.c:227
Signature_::init_data
SignatureInitData * init_data
Definition: detect.h:611
SCReturnPtr
#define SCReturnPtr(x, type)
Definition: util-debug.h:314
ISDATAAT_RAWBYTES
#define ISDATAAT_RAWBYTES
Definition: detect-isdataat.h:28
MpmTableElmt_::Search
uint32_t(* Search)(const struct MpmCtx_ *, struct MpmThreadCtx_ *, PrefilterRuleStore *, const uint8_t *, uint32_t)
Definition: util-mpm.h:165
FLOW_PKT_TOCLIENT
#define FLOW_PKT_TOCLIENT
Definition: flow.h:224
SigGroupBuild
int SigGroupBuild(DetectEngineCtx *de_ctx)
Convert the signature list into the runtime match structure.
Definition: detect-engine-build.c:1953
AppLayerParserThreadCtxAlloc
AppLayerParserThreadCtx * AppLayerParserThreadCtxAlloc(void)
Gets a new app layer protocol's parser thread context.
Definition: app-layer-parser.c:306
detect-engine-content-inspection.h
DetectEngineThreadCtx_::discontinue_matching
uint16_t discontinue_matching
Definition: detect.h:1101
DetectEngineAppInspectionEngine_::smd
SigMatchData * smd
Definition: detect.h:407
DetectEngineContentInspection
uint8_t DetectEngineContentInspection(DetectEngineCtx *de_ctx, DetectEngineThreadCtx *det_ctx, const Signature *s, const SigMatchData *smd, Packet *p, Flow *f, const uint8_t *buffer, uint32_t buffer_len, uint32_t stream_start_offset, uint8_t flags, uint8_t inspection_mode)
Run the actual payload match functions.
Definition: detect-engine-content-inspection.c:104
DetectAppLayerMpmRegister2
void DetectAppLayerMpmRegister2(const char *name, int direction, int priority, int(*PrefilterRegister)(DetectEngineCtx *de_ctx, SigGroupHead *sgh, MpmCtx *mpm_ctx, const DetectBufferMpmRegistery *mpm_reg, int list_id), InspectionBufferGetDataPtr GetData, AppProto alproto, int tx_min_progress)
register a MPM engine
Definition: detect-engine-mpm.c:89
DetectEngineAppendSig
Signature * DetectEngineAppendSig(DetectEngineCtx *de_ctx, const char *sigstr)
Parse and append a Signature into the Detection Engine Context signature list.
Definition: detect-parse.c:2421
PREFILTER_PROFILING_ADD_BYTES
#define PREFILTER_PROFILING_ADD_BYTES(det_ctx, bytes)
Definition: util-profiling.h:304
Packet_::flow
struct Flow_ * flow
Definition: decode.h:471
DetectEngineThreadCtxInit
TmEcode DetectEngineThreadCtxInit(ThreadVars *, void *, void **)
initialize thread specific detection engine context
Definition: detect-engine.c:3154
FAIL_IF
#define FAIL_IF(expr)
Fail a test if expression evaluates to true.
Definition: util-unittest.h:71
DETECT_CI_FLAGS_SINGLE
#define DETECT_CI_FLAGS_SINGLE
Definition: detect-engine-content-inspection.h:47
StreamTcpFreeConfig
void StreamTcpFreeConfig(bool quiet)
Definition: stream-tcp.c:667
DetectBufferMpmRegistery_::pname
char pname[32]
Definition: detect.h:628
flags
uint8_t flags
Definition: decode-gre.h:0
SigTableElmt_::alias
const char * alias
Definition: detect.h:1246
AppLayerParserParse
int AppLayerParserParse(ThreadVars *tv, AppLayerParserThreadCtx *alp_tctx, Flow *f, AppProto alproto, uint8_t flags, const uint8_t *input, uint32_t input_len)
Definition: app-layer-parser.c:1244
suricata-common.h
DetectEngineThreadCtxDeinit
TmEcode DetectEngineThreadCtxDeinit(ThreadVars *, void *)
Definition: detect-engine.c:3368
SigMatch_::type
uint16_t type
Definition: detect.h:315
sigmatch_table
SigTableElmt sigmatch_table[DETECT_TBLSIZE]
Definition: detect-parse.c:73
DetectEngineThreadCtx_::inspection_recursion_counter
int inspection_recursion_counter
Definition: detect.h:1118
util-spm.h
InspectionBufferSetupMulti
void InspectionBufferSetupMulti(InspectionBuffer *buffer, const DetectEngineTransforms *transforms, const uint8_t *data, const uint32_t data_len)
setup the buffer with our initial data
Definition: detect-engine.c:1436
DetectEngineInspectGenericList
uint8_t DetectEngineInspectGenericList(DetectEngineCtx *de_ctx, DetectEngineThreadCtx *det_ctx, const struct DetectEngineAppInspectionEngine_ *engine, const Signature *s, Flow *f, uint8_t flags, void *alstate, void *txv, uint64_t tx_id)
Do the content inspection & validation for a signature.
Definition: detect-engine.c:1951
PrefilterMpmDnsQuery::transforms
const DetectEngineTransforms * transforms
Definition: detect-dns-query.c:137
DetectDnsQueryRegister
void DetectDnsQueryRegister(void)
Registration function for keyword: dns_query.
Definition: detect-dns-query.c:204
DETECT_ENGINE_INSPECT_SIG_NO_MATCH
#define DETECT_ENGINE_INSPECT_SIG_NO_MATCH
Definition: detect-engine-state.h:38
tv
ThreadVars * tv
Definition: fuzz_decodepcapfile.c:31
ISDATAAT_NEGATED
#define ISDATAAT_NEGATED
Definition: detect-isdataat.h:29
InspectionBuffer::inspect_len
uint32_t inspect_len
Definition: detect.h:341
InspectionBuffer::inspect
const uint8_t * inspect
Definition: detect.h:339
str
#define str(s)
Definition: suricata-common.h:272
SCFree
#define SCFree(p)
Definition: util-mem.h:61
UTHFreePacket
void UTHFreePacket(Packet *p)
UTHFreePacket: function to release the allocated data from UTHBuildPacket and the packet itself.
Definition: util-unittest-helper.c:486
Flow_::alstate
void * alstate
Definition: flow.h:486
Flow_::flags
uint32_t flags
Definition: flow.h:431
detect-parse.h
Signature_
Signature container.
Definition: detect.h:540
SigMatch_
a single match condition for a signature
Definition: detect.h:314
FAIL
#define FAIL
Fail a test.
Definition: util-unittest.h:60
PrefilterAppendTxEngine
int PrefilterAppendTxEngine(DetectEngineCtx *de_ctx, SigGroupHead *sgh, void(*PrefilterTxFunc)(DetectEngineThreadCtx *det_ctx, const void *pectx, Packet *p, Flow *f, void *tx, const uint64_t idx, const uint8_t flags), AppProto alproto, int tx_min_progress, void *pectx, void(*FreeFunc)(void *pectx), const char *name)
Definition: detect-engine-prefilter.c:270
DETECT_ISDATAAT
@ DETECT_ISDATAAT
Definition: detect-engine-register.h:80
DetectEngineAppInspectionEngine_::transforms
const DetectEngineTransforms * transforms
Definition: detect.h:404
FLOW_PKT_ESTABLISHED
#define FLOW_PKT_ESTABLISHED
Definition: flow.h:225
DetectEngineCtxInit
DetectEngineCtx * DetectEngineCtxInit(void)
Definition: detect-engine.c:2406
PrefilterMpmDnsQuery::mpm_ctx
const MpmCtx * mpm_ctx
Definition: detect-dns-query.c:136
mpm_table
MpmTableElmt mpm_table[MPM_TABLE_SIZE]
Definition: util-mpm.c:48
DETECT_AL_DNS_QUERY
@ DETECT_AL_DNS_QUERY
Definition: detect-engine-register.h:219
DnsQueryGetDataArgs
Definition: detect-dns-query.c:70
InspectionBufferMultipleForListGet
InspectionBuffer * InspectionBufferMultipleForListGet(DetectEngineThreadCtx *det_ctx, const int list_id, const uint32_t local_id)
for a InspectionBufferMultipleForList get a InspectionBuffer
Definition: detect-engine.c:1389
SIGMATCH_NOOPT
#define SIGMATCH_NOOPT
Definition: detect.h:1431
PrefilterMpmDnsQuery
Definition: detect-dns-query.c:134
DetectBufferSetActiveList
int DetectBufferSetActiveList(Signature *s, const int list)
Definition: detect-engine.c:1300
DetectEngineCtx_::flags
uint8_t flags
Definition: detect.h:786
AppLayerParserThreadCtx_
Definition: app-layer-parser.c:86
DetectBufferTypeSetDescriptionByName
void DetectBufferTypeSetDescriptionByName(const char *name, const char *desc)
Definition: detect-engine.c:1183
MpmCtx_
Definition: util-mpm.h:88
TcpSession_
Definition: stream-tcp-private.h:271
flow.h
Flow_::alproto
AppProto alproto
application level protocol
Definition: flow.h:460
SCCalloc
#define SCCalloc(nm, sz)
Definition: util-mem.h:53
PrefilterMpmDnsQuery::list_id
int list_id
Definition: detect-dns-query.c:135
flow-var.h
PrefilterMpmDnsQuery
struct PrefilterMpmDnsQuery PrefilterMpmDnsQuery
FLOW_DESTROY
#define FLOW_DESTROY(f)
Definition: flow-util.h:129
PKT_STREAM_EST
#define PKT_STREAM_EST
Definition: decode.h:1166
SigTableElmt_::RegisterTests
void(* RegisterTests)(void)
Definition: detect.h:1237
app-layer.h